import public key

edit on GitHub
search on VirusTotal

rule:
  meta:
    name: import public key
    namespace: data-manipulation/encryption
    authors:
      - william.ballenthin@mandiant.com
    scopes:
      static: function
      dynamic: thread
    mbc:
      - Cryptography::Encryption Key::Import Public Key [C0028.001]
    examples:
      - ffeae4a391a1d5203bd04b4161557227:0x4047A0
  features:
    - and:
      - api: advapi32.CryptAcquireContext
      - api: crypt32.CryptImportPublicKeyInfo
      - optional:
        - and:
          - api: crypt32.CryptStringToBinary
          - api: crypt32.CryptDecodeObjectEx

last edited: 2023-11-24 10:34:28